Thursday, July 30, 2009

[Sean is a Forensic Focus forum regular and posts under the username "seanmcl"]Forensic Focus: Sean, can you tell us something about your background?

Sean McLinden: My first exposure to computers was as an undergraduate when I saw an episode of the PBS series Nova about artificial intelligence (AI). Since I was headed to the University of Pittsburgh to begin a graduate study in Medicine I hooked up with the team of Jack D. Myers, MD, and Harry E. Pople, PhD., who were researching the development of programs which could mimic the actions of human diagnosticians. Their laboratory was kind of a skunkworks which not only explored artificial intelligence, but also computer networking, hardware design and operating systems. Everyone who worked there was expected to be well versed in computer design and applications and innovative and there were a lot of opportunities for creativity and independent action. That model became my model for building collaborative teams in which people are encouraged to think independently, question conventional wisdom and be self-motivating.

Following completion of medical training I was recruited to become the head of MIS for what would become a university affiliated teaching hospital. Whereas in the research lab, sharing was the norm, in a patient care setting, the security of the information is paramount. This experience also taught me how production IT operations work, including the human element, an understanding of which is critical to cost-effective enterprise forensics.

From there, I chaired a university graduate program in IT management and then directed a clinical outcomes research group before starting Outcome Technology Associates in 1998.

Forensic Focus: What type of work is Outcome Technology Associates, Inc. engaged in? What does your role as president involve?

Sean McLinden: Outcome Technology Associates began as an organization that developed software and refined practices for the health care industry. Specifically, we did data analysis for patient clinical trials and helped to design systems for the sharing of patient information via data networks. Because our work involved a high degree of confidentiality, we were retained by law firms which had the need not only for data capture and analysis, but also the ability to be discrete. At that time, computer forensics was unheard of and so, "experts" were drawn from the academic and business units where IT practices were the area of specialization.

Our first cases involved simple data recovery, preservation and analysis for use in civil and criminal legal proceedings. The paper record was still the standard for courtroom evidence and most computer forensics involved the detection of traces of the paper record on computers. In 1995, we were consulted by attorneys for the plaintiff on a very large case involving tens of thousands of electronic documents, including e-mail, which was thought to contain evidence of an intentional breach of contract by the defendant. The outcome of the case was a $30 million judgment in favor of our client, and that was the start of our full-time business.

Today we are involved in any and all types of civil and criminal investigations in which the preparation, storage or transmission of information in electronic format is involved. I can say, in all honesty, that each of our cases has had one or more features which is/are unique among all of our clients, so it would be hard to pin us down as specializing in one form of computer forensics...

Thursday, July 23, 2009

Digital evidence needs to come from somewhere, right? It doesn’t appear, “forensically sound”, from out of the blue. And the phrase “forensically sound” is key – the evidence needs to be acquired in a manner that ensures that the process doesn’t modify the evidence in any manner. There are exceptions to this – cell phones and live acquisitions come to mind – but even then, the process should be minimally invasive.

The key to this acquisition process is the ubiquitous write blocker, probably the most important tool in any acquisition kit. A write blocker was my first forensics hardware purchase and I keep my collection of write blockers up to date religiously.

The differences between write blockers used to be fairly significant in terms of quality, speed, features, and price. In the last year or two the number of options has expanded somewhat, the major vendors all have similar features, and the prices have come down. The major difference appears to be in the layout, form factor, and physical design of the units...

Thursday, July 16, 2009

From the forums...ForensicMania asks: "Here is a quick question. I cloned hard disk using bit-by-bit copy and kept this hard disk without power in evidence store. I was wondering is there any limitation on data storage life-time on that hard disk if kept without providing power to it. e.g., will the data be there after five years?"

Logg replies: "You'll want to store your hard drives each in sealed, anti-static bags in a climate-controlled (arid) room. The baggies run under a dollar a piece at Fry's (or free if you keep them when you purchase hardware for yourself).

Power is your hard drive's enemy, so as long as you maintain low humidity, mild/moderate temperatures, and a generally dust-free environment, you'll be fine.

A flimsy cd that's damaged simply by prolonged exposure to sunlight can otherwise last to 100 years in storage (or so they say). An immobilized hard drive (and a backup drive if costs permit!) will last you the necessary 5 years years ... with a few decades to spare..."

Monday, July 06, 2009

Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. And if you cannot find the items, or get them to the destination, it doesn't matter how great your tools are.

This kit, and the thoughts and processes behind it, attempt to address concerns I've encountered while doing collections all over the world. That said, it isn't perfect, even for my own needs. Treat this as a framework for building your own kit and if you can improve on this, please let me know how so I can improve my own processes.

Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst...

Cyberstalking is the new urban terror – the message rang home loud and clear at the Digital Safety Conference in London.

For although, in Cyberspace, no-one hears you scream, increasing numbers of people are getting off on imagining it.

The evils of instant communication – texting, live chat, social networking – were laid out in lurid detail before delegates meeting in a brick-lined space known as The Brewery, near the city’s Barbican.

Tales of horror: physical threats and psychological manipulation, poured out. The family pursued relentlessly via emails, bulletin board postings and websites dedicated to damaging their names for more than five years. The teenager who suffered Post Traumatic Stress Syndrome following a campaign of anonymous texts. The Information Age exposed in all its gory.

This, said former Scotland Yard detective, Hamish Brown, was the intimidation that kills lives, the silent terror that dogs every waking moment for harassed victims. Who stalks and why is the subject of ongoing research but the trend is that more men stalk women than the other way around. The style of mental torture is similar to that shown in cases of domestic violence, Brown asserted, and the perpetrator often has no previous convictions.

As the first police officer to charge an offender with Grievous Bodily Harm of the mind, Brown passionately believes that victims of cyber violence should be taken more seriously.

“It’s not right that you should have to be punched on the nose for something to happen,” he commented, and asked for a campaign to educate the public on the issue.

Two alarming presentations based on personal experience followed. Graham Brown-Martin described how he, his wife and small child ran from Jamaica to London after enduring a series of death threats and vicious slanders posted on the Internet. The virtual bullying followed them and has continued for five years. Despite continued threats, including an invitation to all-comers to murder the family published with a map of their whereabouts, the authorities have been unable to help. Differences in international law were quoted as the main difficulty